As discussed in my previous blog post, many loss-causing cyber incidents are not actually cyber attacks. While that blog was focused on downtime events, such as cloud failures, in this blog we’ll take a look at the types of events that can lead to data compromise, which can be quite costly from an insurance perspective. Our analyses show that most of the losses paid out on affirmative cyber policies are due to data compromise. There are dozens of ways to classify cyber events, but our framework groups them into 8 key categories. Each of these 8 categories, or event vectors, can lead to substantial insured loss.
Malicious Breach: This category includes hacks and other similar malicious causes of a data compromise. Many of the most notable and newsworthy historical events fall into this category, including Anthem, Equifax, and Capital One.
Phishing/Social Engineering: During 2019, at least 29 employees at Munson Healthcare fell victim to a phishing scam that gave bad actors access to the Munson network. This exposed thousands of medical records and other forms of personal information to the scammers. The healthcare company had to notify patients and offer credit monitoring services to those who were impacted.
Lost/Stolen Device: In 2014, Visionworks performed a server upgrade. The old server, which contained partially unencrypted health information for 48,000 customers, was misplaced. Although it wasn’t proven that the old server’s data was misused, Visionworks still notified their customers of the potential breach and offered a year of credit monitoring.
Unintentional Disclosure: Back in 2005, Kaiser had a potentially public website that had been available for up to four years and contained personal health information. The site had been developed as a testing portal but was left active. Kaiser had to notify all impacted people and pay a USD 200,000 fine.
Physical Tampering: In 2012, five people in the Toronto area were arrested for tampering with the Toronto Transit Commission’s point of sale terminals and purchasing CAD 180,000 worth of passes illegally. While it is believed that the Transit Commission didn’t lose any money in this event, banks that had their customers’ cards compromised may have suffered losses.
Cyber Extortion: This category includes not only more traditional forms of encrypting or wiping ransomware but also events such as the 2019 extortion of Asurion. After stealing thousands of employee records and millions of customer records, a bad actor attempted to extort the company for USD 350,000 to not release the data publicly. The company paid more than USD 300,000 before law enforcement apprehended a suspect.
Unauthorized Access: A housing inspections employee in Minneapolis used his legitimate access to driver’s license records for his own personal reasons. A similar lawsuit against Minneapolis resulted in a nearly USD 400,000 fine.
Unauthorized Data Collection: In 2017 and 2018, UK-based pregnancy and parenting club, Bounty, collected and shared 34 million data records. When they collected the information, they did not properly inform users that their data would be shared with credit reporting agencies and marketing companies. In the end, Bounty was fined GBP 400,000 by the UK’s Information Commissioner’s Office.
Splitting Data into These Vectors
This summer’s release of ARC, our leading cyber modeling platform, will include the ability to split data compromise losses into these 8 event vectors. In addition, ARC will allow users to split the losses into 13 different insurance coverages, ranging from forensics and notification costs to public relations fees and fines. You can hear more details during our webinar later this summer, What’s New with Cyber Risk Modeling or contact your sales representative to schedule a demo of the forthcoming release.
Webinar: What’s New with Cyber Risk Modeling—Register to hear the latest updates to ARC